The fast-casual restaurant chain says thieves obtained username and password information belonging to customers via a credential stuffing incident.